1 / 26

David Evans cs.virginia/~evans

Lecture 11: Birthday Paradoxes. David Evans http://www.cs.virginia.edu/~evans. CS588: Security and Privacy University of Virginia Computer Science. Quiz Results. 1. How well do you feel you understand RSA? a. Broke it yesterday 0 b. Well enough to implement 2 (1 has done it)

adama
Download Presentation

David Evans cs.virginia/~evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 11: Birthday Paradoxes David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science

  2. Quiz Results 1. How well do you feel you understand RSA? a. Broke it yesterday 0 b. Well enough to implement 2 (1 has done it) c. Almost everything in RSA paper 4 (but 2 revealed otherwise in their answers) d. Sort of 19 (6 answered all questions well) e/f. Not really, No Clue 11 8 got all blanks right 8 got all blanks right except ed  1 mod (p – 1)(q – 1) University of Virginia CS 588

  3. Quiz Results Lectures way too fast: 3 too fast: 23 write in “little too fast” 3 write in “just right” 2 too slow: 2 (with comments: a little, but really think they’re fine) way too slow: 0 University of Virginia CS 588

  4. Selected Comments “Math is too fast – and I am a math major!” “Too much math” “The proofs often lose me.” “It is difficult to follow the reasoning on the math from just slides, the math using the board made more sense.” “Explain the math more in encryption, using white board or chalkboard.” “Less focus on math/proofs, more on general concepts” { want to have more combination of theory and daily application } “More practical examples might help” University of Virginia CS 588

  5. More Comments “Doing the homework always helps me understand much better.” “I usually can’t keep up in lectures, but can understand after reviewing slides out of class.” “All quizes and tests should be anonymous.” “Wish people felt more comfortable speaking out answers even when wrong.” “You tend to progress as soon as you have verification that 1 person understands. Wait ‘till the majority of the class understands.” University of Virginia CS 588

  6. Security depends on this being secret ed  1 mod ??? • Public encryption function: E(M) = Me mod n • Private encryption function: D(C) = Cd mod n Most common (wrong) answer: ed  1 mod n[Wrong] University of Virginia CS 588

  7. Solving for d ed  1 mod n e, n are known (public key) and relatively prime ed = k0n + 1 for some k0 ed – k0n = 1 ed + nk = 1 (k = -k0) How do we find d? ed + nk = 1 = gcd (e, n) Euclidean Algorithm, see MBC 7.5 for proof and explanation. University of Virginia CS 588

  8. The Real Mod • Finding d such that ed  1 mod X is easy is we know the value of X • So, security of RSA depends on X being unknown to the public • Could it be pq? • Could it be (p – 1)q? University of Virginia CS 588

  9. To Decrypt: M  Med mod n a(n)1mod n Euler’s Theorem Mmod n = M (n) Mmod n = Mk (n) Mmod n for any k = Mk (n)+1 mod n ed= k (n) + 1 ed1 mod  (n) (n) = (pq) = (p – 1) (q – 1) University of Virginia CS 588

  10. Hashes University of Virginia CS 588

  11. Why is there a hash in certificates? Actually there isn’t! Your browser calculates the hash from the whole certificate. University of Virginia CS 588

  12. Cryptographic Hash Functions • Many-to-one: compresses • Even distribution: P(H(x) = n) = 1/N • Efficient: H(x) is easy to compute. • One-way: given H(x), hard to find x • Collision resistance: Weak collision resistance: given x, it is hard to find y  x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y  x such that H(y) = H(x). University of Virginia CS 588

  13. IOU Request Protocol x EKRA[H(x)] Bob Alice knows KUA {KUA, KRA} y EKRA[H(x)] Bob picks x and y such that H(x) = H(y). Judge knows KUA University of Virginia CS 588

  14. Finding x and y Bob generates 210 different agreeable (to Alice) xi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 | $2.00 | 2 dollars | two dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2002 | 2002 AD}. University of Virginia CS 588

  15. Finding x and y Bob generates 210 different agreeable (to Bob) yi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 quadrillion | $2000000000000000 | 2 quadrillion dollars | two quadrillion dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2002 | 2002 AD}. University of Virginia CS 588

  16. Bob the Quadrillionaire!? • For each message xi and yi, Bob computes hxi = H(xi) and hyi = H(yi). • If hxi = hyjfor some i and j, Bob sends Alice xi, gets EKRA[H(x)]back. • Bob sends the judge yjand EKRA[H(xi)]. • Is this different from when Alice chooses x? University of Virginia CS 588

  17. Chances of Success • Hash function generate 64-bit digest (n = 264) • Hash function is good (randomly distributed and diffuse) • Chance a randomly chosen message maps to a given hash value: 1 in n = 2-64 • By hashing m good messages, chance that a randomly chosen bad message maps to one of the m different hash values: m * 2-64 • By hashing m good messages and m bad messages: m * m * 2-64 (approximation) University of Virginia CS 588

  18. Is Bob a Quadrillionaire? • m = 210 • 210 * 210 * 2-64 = 2-44 (still a pauper) • Try m= 232 • 232 * 232 * 2-64 = 20 = 1 (yippee!) • Flaw: some of the messages might hash to the same value, might need more than 232 to find match. University of Virginia CS 588

  19. Birthday “Paradox” What is the probability that two people in this room have the same birthday? University of Virginia CS 588

  20. Birthday Paradox Ways to assign k different birthdays without duplicates: N = 365 * 364 * ... * (365 – k + 1) = 365! / (365 – k)! Ways to assign k different birthdays with possible duplicates: D = 365 * 365 * ... * 365 = 365k University of Virginia CS 588

  21. Birthday “Paradox” Assuming real birthdays assigned randomly: N/D = probability there are no duplicates 1 - N/D = probability there is a duplicate = 1 – 365! / ((365 – k)!(365)k ) University of Virginia CS 588

  22. Generalizing Birthdays n! (n – k)! nk P(n, k) = 1 – Given k random selections from n possible values, P(n, k) gives the probability that there is at least 1 duplicate. University of Virginia CS 588

  23. Birthday Probabilities P(no two match) = 1 – P(all are different) P(2 chosen from N are different) = 1 – 1/N P(3 are all different) = (1 – 1/N)(1 – 2/N) P(n trials are all different) = (1 – 1/N)(1 – 2/N) ... (1 – (n – 1)/N) ln (P) = ln (1 – 1/N) + ln (1 – 2/N) + ... ln (1 – (k – 1)/N) University of Virginia CS 588

  24. Happy Birthday Bob! ln (P) = ln (1 – 1/N) + ... + ln (1 – (k – 1)/N) For 0 < x < 1: ln (1 – x)  x ln (P)  – (1/N + 2/N + ... + (n – 1)/N) Gauss says: 1 + 2 + 3 + 4 + ... + (n – 1) + n = ½ n (n + 1) So, ln (P)  ½ (k-1) k/N Pe½ (k-1)k / N Probability of match 1 – e½ (k-1)k / N University of Virginia CS 588

  25. Applying Birthdays P(n, k) > 1 – e-k*(k-1)/2n • For n = 365, k = 40: P(365, 40) > 1 – e-40*(39)/2*365 P(365, 40) > .88 • For n = 264, k = 232: P (264, 232) > .39 • For n = 264, k = 233: P (264, 233) > .86 • For n = 264, k = 234: P (264, 234) > .9996 • For n = 2128, k = 240: P (2128, 240) > 10-15 University of Virginia CS 588

  26. Finding Problem Set Partners • Simple way: • Ask people in the class if they want to work with you • Problems: • You face rejection and ridicule if they say no • Can you find partners without revealing your wishes unless they are reciprocated? • Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them University of Virginia CS 588

More Related